đ Hi, this is Akash with this weekâs newsletter. I write about security engineering to help you get into the world's best security teams. Thank you for your readership.
This week Iâm sharing how you can secure any system with 4 control frameworks; Identification, Authentication, Authorization & Audit. Hope itâs helpful; enjoy!
Think about the last security problem you were solving.
What were you trying to do?
đ¤đĄ Let me take a guess.
Were you trying to protect âan assetâ from âunauthorized accessâ to preserve the âconfidentiality, integrity or availabilityâ of the information system?
From penetration testing to encryption, everything we do in security is just that.
Thatâs the beauty of security.
There are thousands of controls in the market, but at the end of the day all goes back to first principles.
One of the fundamental security control frameworks is Access Management. Your ability to design a secure system relies on your understanding of,
đ¤ Identification
đ Authentication
đŚ Authorization
đ Audit (or Accountability)
All security controls can be categorized as one of these 4 categories.
Defenders are trying to solidify them, attackers are trying to break them.
In this post, weâll explore everything you need to know about these concepts. Youâll learn how to approach an open-ended security question the next time you see it.
đ The Concept
We canât build a house without a solid foundation. Letâs deep dive into the key concepts.
đ¤đ Identification
Itâs about answering âWho are you?â.
Much like the physical world, you are assigned multiple identities online. The username that you enter logging into your laptop or an application. Thatâs your identity.
One thing to remember about identity is, most of the time identity is established âout of bandâ in a separate registration workflow. The first time you signed up for Substack, you probably entered an email address. For Substack, thatâs your identity.
đâ
Authentication
Itâs about proving who you say youâre.
An identity doesnât have any inherent security control. You can claim to be anyone you want to be.
Fun fact: E-mail started off as a program that didnât have authentication in its design.
But in the modern world, I canât claim to be you. Well, I shouldnât be able to.
Authentication verifies your identity using one of these 3 ways:
Something you know: passwords, pins, patterns etc.
Something you have: a mobile, security key etc.
Something you are: biometrics, signature etc.
Usernames (identity) and passwords (something you know) are the most widely used authentication mechanism out there. Despite being the weakest, but thatâs for some other time.
Similar to identity, authentication mechanisms also require an âout of bandâ registration. When you require multiple factors to authenticate, thatâs called Multi-Factor Authentication (MFA). Innovative, right?
Side note: To continue reading these posts, please enable MFA across all your accounts.
đŚđŽ Authorization
Itâs about what youâre allowed to do after you authenticate.
Just because you are authenticated, doesnât mean you can access everything.
Authorization controls can be thought of as a middleware that allows/denies your access request. These decisions are made based on a predetermined policy.
Fundamentally, there are two ways systems authorize you:
Access Control List: a rule-based list attached to an object, specifying which subjects (users or processes) can access it and what operations they can perform. Examples include RBAC, ABAC, file system permissions etc.
Capability List: a user or process-centric list that specifies what objects the user/process can access and what actions they can take on those objects. Session tokens, keys are examples of this.
The difference is simple, together they form the âAccess Matrixâ.
đđ Audit
Itâs about keeping a record of âWho did what, and when?â.
Audit is not a preventative security control by design. But, itâs the most useful after an incident occurs. It gives us the ability to trace âan actionâ back to âa subjectâ.
One thing to remember about audit, if itâs not immutable, thereâs very little value. Logs become the attacker's first target to erase their tracks. It helps them persist on your machines longer.
Pay extra attention when designing audit logging for your systems.
đ Real-World Walkthrough
Letâs solidify our understanding by walking through an example.
We will use the âSubstackâ application to understand todayâs concepts.
â ď¸ Assumption: Youâve an account on Substack, please create one, if you donât đ .
Step 1: You clicked a link and now youâre here on this post. Do you see the âSign Inâ button at the top corner?
Letâs click that and see this on the next screen:
Step 2: The âEmailâ it asks you to enter is the question: âWho are you?â; Identification.
Step 3: Check your mailbox, you should see an email with a signed link:
The link that you see on this email is an authenticated link. Clicking it will log you in. Itâs basically something you have, access to that mailbox. Authentication.
Step 4: Now youâre logged in, letâs see what you can do. Hereâs an idea, do you see this on the top right corner?
Letâs see if that âbrown buttonâ works for you. Go ahead, click it and follow through the prompts.
Oh wow, it worked! All this time, you couldâve subscribed already. I wonder what was the issue, lol.
Step 5: We certainly donât have access to Substack logging, but check your browser history. Itâs a very weak form of logging your activity. Itâs not immutable, so not reliable. But you get the idea.
đ đ Parting Thoughts
In interviews, you may get asked to assess the effectiveness of a security control. Before thinking about anything else, ask yourself âwhat is this control doingâ. Note down what itâs supposed to do. From there youâll be able to provide a thoughtful answer. Most interviewers are looking for how clearly you understand security.
For assessing security of a system or thinking like an attacker to break it, follow this sequence:
(Identity) Who has access to this system?
(Authentication) How can I trick the system into mistaking me for someone else?
(Authorization) If I'm in, what resources do I have access to?
(Audit) Are there controls monitoring audit logs, and if so, how can I alter them?
Now, letâs do some exercise. Imagine you get a notification from an app saying your account is being accessed from another part of the world. Tell us 3 things that couldâve gone wrong, keep them grounded in fundamentals we discussed today.
Share in the comments!
đŚâđĽ Interview Questions
Youâre hired to design the security system for our upcoming hacker conference application. How would you approach it?
If youâre in a situation where a user needs temporary elevated access. How would you handle this authorization request securely?
How would you approach investigating a potential security breach? What types of information should be logged?
đ đŹ Get In Touch
Want to chat? Find me on LinkedIn.
If you want me to cover a particular topic in security or have feedback, you can reach out directly on akash@chromium.org.Â
Hope you enjoyed this content, please đ share with someone who might benefit and đ subscribe. Hit that like button, your đ response really motivates me to keep going.